Am I safe from MS Advisory 2963983 by using a different application to host the MSIE rendering engine?

5

2

Microsoft Security Advisory 2963983

Vulnerability in Internet Explorer Could Allow Remote Code Execution Published: April 26, 2014

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

My understanding is that you are suppose to use Internet Explorer: Enhanced Security Configuration and or disable ActiveX/Adobe Flash and use Trusted Sites to be able to use IE securely.

My problem is that I have to use IE because of a certain web application that uses activex.

My question, if I use another browser that uses the same Rendering Engine as IE will I still be safe? Avant Browser uses the same engine that displays the web pages and does work fine for my web application. But will it be Safe from that Security Bug?

There are even plugins and extensions for Chrome/Firefox that will open a web page using IE Web Browser Control within Chrome/Firefox. These browsers use builtin ActiveX, but Chrome & Firefox are not effected by this securiy issue. Will it be safe though?

Logman

Posted 2014-04-29T14:32:23.053

Reputation: 3 452

This question has been edited to genericise it and make it apply to future scenarios, now that the update is out – kinokijuf – 2014-05-03T21:28:30.653

sorry I rolled the question back because the bounty was for a specific question relating to an issue I have to resolve. – Logman – 2014-05-03T22:02:39.453

please don’t edit it back, the question in its current state is outdated now that KB2964358 is out. Answer to your current question is: update your system. Answer to the generic question was given by @harrymc.

– kinokijuf – 2014-05-03T22:04:52.913

Answers

1

If another browser uses the same rendering engine as IE then it is also vulnerable. In effect, there is not much difference between IE and its ActiveX object.

Your KB article links to MS14-021 which better explains the issue. It also says:

Add sites that you trust to the Internet Explorer Trusted sites zone

After you set Internet Explorer to block ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to the Internet Explorer Trusted sites zone. This will allow you to continue to use trusted websites exactly as you do today, while helping to protect yourself from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, perform the following steps:

  1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.
  2. In the Select a web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.
  3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.
  4. In the Add this website to the zone box, type the URL of a site that you trust, and then click Add.
  5. Repeat these steps for each site that you want to add to the zone.
  6. Click OK two times to accept the changes and return to Internet Explorer.

Use this procedure to add only the websites in which you must use ActiveX to the Trusted sites zone, so that ActiveX will be permitted for them, and them only.

harrymc

Posted 2014-04-29T14:32:23.053

Reputation: 306 093

The IE Tab add-on lets you use ActiveX controls in Chrome, but you must have Internet Explorer installed on your computer to use it. The add-on uses the version of Internet Explorer you currently have installed to open pages in Chrome. IE Tab basically opens Internet Explorer within Chrome. Since it pulls data from the version of IE you currently have installed, the developers recommend keeping Internet Explorer up to date to ensure the add-on is as secure as possible. – Logman – 2014-05-03T22:16:11.057

Asked: 2014-04-29T14:32:23.053

Viewed: 169 times

Active: 2014-05-03T22:00:15.587